First of all, as was noted by the chair, in 2016 the government collects and handles a mass of information, so there is a need for obligations to safeguard that information. Currently, that is the subject of government policy, not legal obligations per se. There is a policy obligation imposed by the Treasury Board on departments to notify both the Treasury Board and the Office of the Privacy Commissioner when there is a significant breach of personal information, and this is a good thing. What we note, though, is that there are certain departments we never hear from, or the quality of the notifications given is at best uneven. It is a good start to have this as a policy obligation, but we think that, point one, making it a legal obligation would improve the quality, and point two, making this a legal obligation is the norm in almost all other jurisdictions, either provincially in Canada or internationally. That is the norm.
On March 10th, 2016. See this statement in context.